We want to prevent unauthorized access and use of information. Additionally, we want to ensure that the application or service works as intended and only as intended. Another advantage of serverless is that we are working in a SaaS model where security is almost entirely the cloud provider's responsibility (in the shared responsibility model).

Securing serverless applications comprise three components: AWS services, application code, and data flows.

The following are the steps you need to perform for serverless security:

1. What data is involved in the app? Map out the data involved in the application to understand your risk. For example, PII data, credit card details, and other such sensitive data and the code that processes it.
2. What is the value of that data? After mapping the data involved in the application you should assign a value to it based on the risk or sensitivity of data.
3. What services access the data? Identify each of the services and how they can configure them. List the services used and assign a risk score to them.
4. Verify compliance eligibility. For example, if there are payments involved in your application, then the credit card information is sensitive and comes under PCI compliance. AWS has certified services for processing this data but remember to include supporting services such as AWS IAM and AWS KMS to your list.
5. Configure each service appropriately. S3 and IAM defaults are nonpublic and deny everything, which is a good thing. You need to understand the configuration parameters and choices for each service.
6. Add automated tests for each configuration. Test it after you have configured the services to ensure what you set up is exactly what is running in production. It's good practice to test constantly—re-run all the tests after any changes.

7. Write better code. Code quality is a problem and we can do better from a code perspective. Ensure that the quality of code is improving over time with more experience.
8. Reduce and verify dependencies. Be careful about imports (dependencies include code written by different people at different skill levels).
9. Add automated tests for the code. Test the code thoroughly. Creating automated test suites will help ensure the process is run as frequently as necessary with minimum effort.
10. Security test or profile the code. Look for known issues in the code. There are many static analysis tools available, including the open source ones.
11. Monitor the flow of information. You can monitor the flow of information (after the mapping is done). AWS X-Ray can be used to help analyze and debug the distributed applications. Getting to know how information is flowing in your application can also help with configuring the security for your applications. You can leverage Amazon CloudWatch to set up a trigger that sends the events to AWS Lambda. You can then create a whitelist of known good events/service calling which can itself be a serverless application. If a bad event is received, then you can send appropriate alerts. You can also leverage Amazon Macie to automatically discover, classify, and protect sensitive data in AWS. Amazon Macie recognizes sensitive data such as personally identifiable information (PII), and provides you with dashboards and alerts with respect to how this data is being accessed or moved. Currently, Amazon Macie supports S3 storage only. You can also analyze CloudTrail data for anomalies and configuration changes, for example, changing a S3 bucket access from private to public will raise an alert.